search

open-eid / DigiDoc4-Client

DigiDoc4 Client is an application for digitally signing and encrypting documents; the software includes functionality to manage Estonian ID-card - change pin codes etc.
https://www.id.ee/en/article/install-id-software/
Other
117 stars 42 forks source link

Error "Signature is unknown" for signature containers containing an invalid OCSP response #1131

Closed user8547 closed 1 year ago

user8547 commented 1 year ago

When a signature container contains an OCSP response that contains validity status of a different certificate serial number than the signatory's certificate included in the signature, DigiDoc4 client shows an error "Signature is unknown" and technical information section wrongly reports that certificate status is unknown (while the status is "Good"). However, it should show "Signature is not valid" with an appropriate description in the technical information section (e.g., "OCSP response does not match signatory's certificate").

Screenshot from 2022-10-18 17-26-46

Test .asice file attached. forgery7.zip

metsma commented 1 year ago

This should be in open-eid/libdigidocpp. OCSP can contain 1 to N references to certificates (rfc6960). If we cannot find suitable reference to certificate in OCSP then it is classified to UNKNOWN status.